How to be Cyber Safe in your Holiday Space

New Zealand Security Magazine - December 2021

Cyber safe holidays
The urgent need for better awareness is not a business only problem.

According to Jennie Vickers of Zeopard Consulting and Consultant to Fortinet, the first action you need take to protect your business over the holiday break is security awareness training for everyone, including your employees and your contractors.

Despite being over 2021 we are not quite at year end yet

Most people have had enough of 2021 (I think we said the same for 2020 but anyway, here we are again) and the countdown to the annual shutdown is beginning, encouraged by all the TV advertising reminding us of the lazy hazy days of the summer break. 

One of the differences this year from previous years, is the substantial number of devices which will be going off on holiday with your team members, which are connected back to HQ, to your email, your database, with access to your operational technology (OT), all your IP…., get the picture? 

According to data released earlier this year extracted from Stats NZ data: 

  • around 97 percent of the population in New Zealand were active mobile social media users;
  • the population of NZ had 1.3 smartphones each;
  • there were more mobile subscriptions than people in the country; and  
  • about 46 percent of web traffic was created by mobile phones.

All of this adds up to a lot of digital activity. 

No one wants to be a killjoy, but the combination of the increase in threat activities plus the number of devices heading off to the beach (and those staying home), adds up to even greater risks to your business and individual economic prosperity, than at the same time in previous years.

Are your exhausted people going to be using the devices that connect to your network and your data, to surf for shopping, quizzes, and puzzles, on their well-deserved days of rest?

Earlier this year, the 2021 Fortinet Networking and Cybersecurity Adoption Index Research Report, collated the opinions of 300 IT decisionmakers in Australian businesses and 105 IT decision-makers in New Zealand businesses. When the research was conducted the results were clear about the need and demand for awareness training:

“When it comes to IT security programs, awareness was at the top of the list for Australian organisations at 67 percent [and training (62 percent)] while training was at the top of the list for New Zealand organisations at 70 percent followed by awareness (68 percent)”.

Are you one of the organisations surveyed and have you actually got around to putting a programme in place?

Security Awareness and Skills Training – there is no option

In reporting to their boards, most NZ businesses will have covered cyber risks. The frameworks and structures businesses chose to comply with and report to are many and varied but chances are you have picked one. ISO27001, NIST 800-50 Framework, CERTNZ’s Critical Controls, the ACSC Essential 8, CIS Controls, APRA CPS-234 or MITRE AT&CK are the best known and most include an obligation around the delivery of security awareness training. 

If you are ISO27001 certified then, apart from the rest of the compliance obligations, you need to be addressing Control 8.2.2 Awareness Training, if the CIS Controls is your chosen framework, then have a look at Control 14.

If you have a cyber risks insurance policy you may have confirmed in your last policy proposal declaration, that you are providing awareness training. Cyber insurance remains an important part of cyber risk management, but reality is, we all win if training happens but claims do not.

Despite everything I have said. don’t panic, but do:

  • Review the training you do deliver and identify when it was last a compulsory requirement for staff;
  • Consider the latest reports on threats (Fortinet’s FortiguardLabs provide a good publicly available threat update service) and check that the new attack vectors are covered in your current training;
  • Before the holiday starts run every staff member and contractor through your security awareness training;
  • If you have no training programme in place, read on for options that are still available before the break;
  • Check your cyber policy terms and make sure you have complied with the hygiene requirements; and
  • Ensure that your record keeping clearly documents when, and where training was delivered and keep the data on staff completion records and results. 

Find a Security Awareness Service

There are a number of options out there. For example, organisations of all sizes can benefit from Fortinet’s complimentary information security awareness and training service, which is suitable for your entire workforce, from technical to non-technical employees and contractors. Taking one to two hours to complete by each person, you can educate your workforce about today’s cyber threats, such as phishing, social engineering, and ransomware attacks, and how to protect against them. 

The service’s training course was researched and developed in alignment with NIST guidelines: NIST 800-50 and NIST 800-16. To get the ball rolling to sign up here, or using the search term “Fortinet information security awareness and training” will get you to the page and the instructions for how to sign up for your organisation. 

Protecting you and your family

This urgent need for better awareness is not a business only problem. All of the family needs to be cyber smart. For teenagers and adults, the Fortinet training is also available free for individuals to sign up.

For the little people there are a number of great video resources. I loved watching the WCF Foundation’s Cyber Security Awareness Program on Youtube and there are plenty to choose from. Australian Leonie Smith is called the Cyber Safety Lady and is based in Sydney. Her site is full of resources for families.

My current favourite resource for little people is “Cyber Safe: A Dog’s Guide to Internet Security” recently published by Renee Tarun Fortinet’s Deputy CISO. Available as a book and an e-book it is accessible by even the littlest person who can swipe a device! 

Some further reading: